Vectorface / GoogleAuthenticator

PHP class to generate and verify Google Authenticator 2-factor authentication
BSD 2-Clause "Simplified" License
14 stars 9 forks source link

Allways return false ? #3

Closed JonathanNet closed 2 years ago

JonathanNet commented 2 years ago

Hi I am tring to get this working, but it allways return false, also then the code is right, is it a bug or something?

` $data = $this->validate($request, [ 'otp' => ['nullable', 'integer',], ]);

    $ga = new GoogleAuthenticator();

    // 2 = 2*30sec clock tolerance
    $checkResult = $ga->verifyCode("TJRMM4M6HOOKRV2R", $data['otp'], 2);
    echo $data['otp'];
    dd($checkResult);
    if ($checkResult) {
        echo 'OK';
    } else {
        echo 'FAILED';
    }`
francislavoie commented 2 years ago

Works for me:

>>> use Vectorface\GoogleAuthenticator;
>>> $ga = new GoogleAuthenticator();
=> Vectorface\GoogleAuthenticator {#3412}

>>> $secret = $ga->createSecret();
=> "Y6JHZFCHJSFDF2NR"

>>> $oneCode = $ga->getCode($secret);
=> "028988"

>>> $checkResult = $ga->verifyCode($secret, $oneCode, 2);
=> true
francislavoie commented 2 years ago

I see you're using integer validation. That's not correct, because OTP codes can start with zeroes (as you can see in my example above), which if converted to an integer would just be 28988 instead of "028988".

The verifyCode method expects a string which only contains numbers, but it's not a "valid number" in of itself because of the padded zeroes.

francislavoie commented 2 years ago

I'll close this for now, I'm not seeing a problem and I have to assume this was a mistake in your code and not a problem with the library.

If you can dig deeper and find and actual problem that you can prove is the library's fault, we can reopen.